a good thing!
The Secret Sauce to Retail MFA
Retail is the poster child for customer experience. While multi-factor authentication (MFA) is often required for security, it can add friction that makes user experiences clunky. Retailers are even more sensitive to added friction now that the industry is being turned on its head by the “Amazon Effect,” the ongoing disruption in the market that is giving customers the ability to shop from the comfort of their homes. This trend is also forcing all retailers to focus on digital innovation and if you lag behind, your competition will gain an advantage. As a result of this explosion in new retail channels and digital properties, MFA is in high demand, but the friction it can add is often unacceptable.
As a retailer, you’re probably well aware of this trend. What you may be less aware of are the security holes that radical innovation driven by fierce competition can open up. Digital innovation and customer experience often drive decisions for retailers. However, securing your customer data cannot be forgotten. As you race to innovate, retailers should take care to ensure that they aren’t putting the security of their customer data at risk.
How is digital innovation affecting security?
Below is a digital chart from the 2018 Verizon Data Breach Investigation Report that shows where cybercrime has been increasing in retail. It shows that payment card skimmers and web applications account for the vast majority of breaches in recent years—nearly 80% of breaches when combined. Payment card skimmers are hardware that can be used to trick people into inserting their credit card, and then steal their information. Breaches of web applications are more closely associated with the aforementioned innovation within retail.
2018 Verizon Data Breach Investigation Report | Retail
Digital innovation means more applications and siloed development teams to support these initiatives. These applications may be for employees or customer service reps to log in to so they help support customers, digital properties such as loyalty programs or mobile applications that customers themselves login to, or partner portals for your supply chain and business partners. It’s very likely all three.
As these applications are developed, they may not have used identity and access management (IAM) best practices. Via session hijacking, weak password policies or other oversights, hackers can find their way into these systems. Sometimes, your end users are your worst enemy here. They’ll reuse passwords across sites, fall victim to phishing scams or share their credentials with family members or co-workers. Even if you are abiding by IAM best practices, there is nothing you can do about careless end-users reusing passwords with another site that gets hacked. You have to operate under the assumption that your users’ credentials are already compromised.
Multi-factor authentication to the rescue
Whether it’s a partner portal, CSR application or customer mobile app, one of the best defenses to compromised credentials is multi-factor authentication (MFA), sometimes referred to as two-factor authentication (2FA). Though technically the former can mean more than two authentication factors, and the latter means exactly two, they are often used interchangeably.
MFA Primer
Authentication factors usually fall into one of three categories:
It’s important to understand that when we say “two” or “multi” factor authentication, we’re talking about factors from two or more of the above categories. So requiring a password and then a mother’s maiden name doesn’t make the cut. Those are both from the same category above: something you know. To do MFA right, you need at least one factor from two separate categories.
Multi-factor authentication is your best defense against compromised customer credentials. It’s even required in regulatory requirements such as PCI DSS, which requires MFA in certain situations, such as remote access. MFA is becoming commonplace across employee, partner and customer-facing applications. Even customers themselves are familiar with the term. If you’re reading this, I’m assuming you're a security professional and have definitely heard of the term. But if you try asking your non-technical friends or family members whether they’ve heard of MFA, I’ll bet they have. You can’t say the same for many other IAM or security acronyms.
PCI DSS Requirement 8.3.2
Incorporate multi-factor authentication for all remote network access (both user and administrator, and including third-party access for support or maintenance) originating from outside the entity’s network.
How does multi-factor authentication help?
We talked about the different types of applications where compromised credentials might give hackers access to the personal data of your customers: employee, partner and customer applications. The attacks hackers launch may have different objectives depending on the type of application they’re trying to break into. In any case, the blame and reputation damage after a successful hack will fall on you, even if the cause is a phishing attack or case of credential reuse that is completely outside of your control. That’s why it’s so important for you to defend with MFA on all fronts. When it comes to fraud and breach of customer data, “it wasn’t our fault” is not an acceptable defense for retailers that are so dependent on their reputation.
MFA for employee and partner applications
Hackers trying to break into your employee or partner applications may be going for a bigger, quantitative score. If a hacker gains access to the right credentials, they have the potential to compromise the data of millions of your customers.
Many IAM security best practices send active and passive alerts, limit the number of accounts administrators can access, and do more to help thwart breaches. MFA is one best practice in particular that you can add on to your identity infrastructure relatively easily. Done correctly, it can mitigate a large portion of the risk you face from compromised employee or partner credentials. For employees and partners, you want to make multi-factor authentication easy, but you don’t necessarily need to have the hyper-focus on usability that your customers require. The main reason for that is that it’s much harder for employees and partners to leave their jobs or take their business elsewhere than it is for a customer to buy their products from your competitor.
As we said earlier, digital innovation is causing a rapid rise in the number of applications within enterprises. When it comes time to implement an MFA solution for your employees and partners, you’ll come face to face with just how many applications you have.
It’s nearly impossible to ensure that all of your disparate application teams are complying with PCI DSS multi-factor authentication directives, providing consistent MFA experiences, and doing so in a convenient manner. To achieve this, centralized adaptive authentication policies that trigger MFA consistently across all applications are imperative. Using adaptive policies, you can evaluate contexts about user devices and behaviors as well as the resources they’re accessing to determine a level of risk associated with their authentication or authorization request. This means that you can require MFA for specific actions like an employee accessing an area of your application where they can access customer account information, or if they’re logging in from outside one of your office locations’ IP addresses. It also means you don’t have to inconvenience employees and partners if they aren’t exhibiting risky behavior.
In this way, your supply chain partners and employees can have consistent access to the resources they need, and even if their credentials are compromised—and you should assume they are—your customer data won’t be at risk.
MFA for customers
MFA for customers is a different animal entirely. First, hackers are usually attempting fraud, or a more qualitative hack, on a single customer. This can be used to make purchases with a credit card saved to an account, or other high-value fraudulent activity against a single customer. Even cases of fraud caused by compromised credentials that are outside of your control can leave blemishes on your reputation that hard to remove—especially if the exploit is circulated around the hacker community and widely leveraged against your customers before you can stop it.
As we established above, competition for retailers is fierce. You have to be hyper-focused on providing convenient experiences for your customers. The fact is, multi-factor authentication adds friction to that experience. When you require MFA for customers, you need to ensure that the added security doesn’t detract from their customer experience.
For customers, it becomes even more important to not add unnecessary friction with MFA requests every time they log in. The same concept of evaluating contextual data and only requiring MFA during risky scenarios applies. For example, you may choose to require multi-factor authentication if the customer is making a purchase over a certain dollar amount, updating their profile data, resetting their password, or in other risky scenarios.
Even if you zero in on the exact scenarios where you should require MFA, the fact still remains that MFA adds friction to the customer experience. For that reason, when you do require multi-factor authentication, you have to do so in a manner that balances security and convenience.
One often-overlooked hole in an MFA strategy is not requiring specific details about what the customer is approving in an MFA request. That means an SMS, email or push notification to customers will say something like: “Your one-time password (OTP) is 245395.” Since there is no information about why the MFA request was sent, hackers can take advantage of this oversight just by obtaining a customer phone number and email address, which can be easily done online.
A common exploit is for the hacker to pose as a retail customer service representative, call the customer and claim that they need to “verify their identity” and they need them to read an OTP. Then, unbeknownst to the user, they attempt to reset their password, which sends a generic OTP that the customer is likely to read to the hacker over the phone, allowing them to reset the customer’s password.
Which type of MFA should we use?
A number of different forms of multi-factor authentication can be used for customers, employees and partners. They range from push notifications from a mobile app, SMS and email one-time passwords, hard tokens and more. There are two main questions to ask when choosing a medium to present MFA and one-time passwords to your users:
Even if you leverage centralized adaptive authentication policies and only require MFA during risky scenarios, you’ll still have to require from time-to-time. Most of the time, it will actually be the right user, logging in from a new device or performing a high-value transaction. So it’s still important to offer a convenient form of multi-factor authentication.
For employees and partners, you might focus more on security than convenience. After all, they are probably not going to abandon you because they don’t like your MFA process. For that reason, it’s often acceptable to require them to carry around a hard token or download a separate mobile application for MFA.
Customers are a different story. They are incredibly sensitive to any friction in their experience. For them, hard tokens and third-party applications are usually not an option. It’s important to ensure that your MFA solution doesn’t add too much friction, even if it’s only required in risky scenarios. If MFA increases shopping-cart abandonment rates, your security initiative may be on the losing end of a battle with your company’s revenue goals.
We often see SMS and email MFA used in both customer and employee/partner MFA scenarios. Unfortunately, there are many exploits to this type of MFA. SIM swapping, SMS intercept and other methods can be used by hackers to bypass MFA. If they know that a retailer allows customers to store credit cards on their account—which they can find out simply by creating their own account—they may deem a retailer’s customers as high-value, and be motivated to target those customers in hack attempts. If you’re using SMS or email for MFA, it may not be as difficult as you think to bypass those MFA mediums.
I’m not saying SMS and email should be entirely avoided. In fact, they are much more secure than not having MFA at all. However, retailers should aim to provide their customers, partners and employees with the most secure, convenient form of MFA possible.
Balancing security and convenience
So how do you find an MFA method for your customers that is both secure and convenient? One way is by embedding MFA into your own mobile app. It’s expected for retailers to have a mobile application. When that mobile application is installed on a customer’s smartphone, it has access to unique device identifiers that are tied to that specific device. These device secrets are much more difficult to spoof than a phone number. By design, a phone number can move from phone to phone; unique device identifiers cannot. By associating a user identity with these trusted device secrets, you can ensure that MFA push notifications go straight to that trusted device.
Furthermore, you can modify push notifications with specific transaction details to prevent some of the vulnerabilities we discussed above. For example, you can send a user a push notification from your own retail application that says “Someone is making a purchase of $546.76 with your saved credit card. Do you approve?” or “Someone is trying to change your password. Do you approve?” This leaves no doubt in a user’s mind as to exactly what they’re approving.
This method also tends to be more convenient than SMS or email MFA. SMS MFA often requires you to use clunky smartphone copy and paste UIs to copy a one-time password, or requires you to remember a long random number as you type it into the device from which you’re accessing the retail site. Email causes you to open a separate browser tab to check your email, then another browser tab as you click the verification link.
Using push notifications simply allows the user to input their thumbprint, scan their face if they have a newer smartphone or approve the request from their smartwatch. This method is both more secure and more convenient for end users. Many IAM vendors have mobile SDKs that can help you elegantly embed this capability into your own iOS or Android mobile applications.
Of course, you can’t force your users to download your mobile app—though offering a more secure, convenient MFA experience in your app can be a benefit that increases downloads. Still, some will choose not to download your app. In those cases, it’s perfectly acceptable to use SMS and email MFA as a backup, especially if you includes specific details about what they’re approving. In any case, offering those methods as backup authentication factors is much better than no MFA at all.
Leveraging MFA for Secure and Seamless Retail
Rapid innovation in retail is causing an influx of new technology. Users of that technology, whether they’re customers, partners or employees, will likely have their credentials compromised, putting their data at risk. Multi-factor authentication is your best defense against compromised credentials, but when you implement it, you have to ensure you’re choosing a secure method. For customers, you also have to take great care to ensure that the MFA method you choose is convenient, and doesn’t add friction to their experience.
Learn how the PingID SDK can provide secure, convenient MFA for retailers.